Information Security: Employee Errors Put Data at Risk

Government data security breaches include e-mail, Web site attachments.

If you work in IT, recent goings-on in the security realm could be enough to make you throw your arms up in despair and kiss the safety of your data goodbye. Reports make it seem downright hopeless.

The 2008 Data Breach Investigations Report released by the Verizon Business Risk Team compiled data from more than 500 forensics cases the team handled from 2004 to 2007, comprising more than 230 million breached records. Although some of the breaches were attributed to malicious activity, human error contributed to 62 percent of the cases.

And things don't look much better in government. News-savvy professionals may have kicked off the year by reading sobering figures released by the Identity Theft Resource Center (ITRC), a nonprofit that educates organizations on fraud and identity theft mitigation. In 2008, more than 2 million government and military records were accidentally compromised, and 638,000 were compromised while data housed on laptops and other mobile equipment. That's nearly 2.7 million total breached records.

Misadventures in Data Handling

Although IT managers may not immediately think of accidental breaches when data security comes to mind, these types of errors have often popped up in the public sector recently.

Case in point: On Dec. 18, 2008, the Concord Monitor reported that the names, addresses and Social Security numbers of more than 9,000 citizens enrolled in Medicare Part D were included in an e-mail attachment that New Hampshire's Department of Health and Human Services sent to health-care providers. And why? Someone goofed, according to the newspaper.

"We have a process in New Hampshire where staff periodically send out informational updates to our health and human service providers with regards to any changes or information pertinent to the Medicare Part D program," said Nancy Rollins, associate commissioner of the department.

On Dec. 1, 2008, the department e-mailed 61 service providers informing them that New Hampshire would be offering fewer plans in the 2009 program. But the message's Microsoft Excel attachment contained quite a bit more.

"Part of the workbook also contained information regarding low-income subsidy individuals who are on Medicare Part D," Rollins said. The private information belonged to more than 9,000 individuals, about half of New Hampshire's 18,000 program enrollees at the time.

"The data, however, wasn't easily discerned unless you actually went into the workbook and clicked on a couple of other tabs, and then you had to scroll from right to left, so you had to really dig for this," Rollins said.

On Dec. 4, one of the providers, Granite State Independent Living, called to notify the state that it had received the extra data. Health and Human Services went to work on the issue.

"We immediately contacted all of our original folks that we had sent the e-mail to, asked them to delete the e-mail and attest to the fact that they had indeed deleted the e-mail," Rollins said.

Some of the service providers forwarded the e-mail to other recipients however. In the end, Rollins recalled, about 481 recipients received more information than they were supposed to.

Health and Human Services also asked providers to follow up with the agencies to whom they forwarded the information and ask them to delete it, and the department also requested written confirmation that the e-mail was deleted. In addition, the department created a three-person team to review information-handling procedures.

New Hampshire's breach, as embarrassing as it was, isn't an anomaly in government. Breaches have been in the news -- either due to mistakes by personnel or while data was in transit.

In October 2008, The Indianapolis Star reported that

a spreadsheet with names, Social Security numbers and birth dates of 3,300 people charged with minor drug and alcohol offenses was mistakenly posted to the Indianapolis government Web site for 11 days.

In October 2008, The Charleston Gazette reported that a laptop containing personal information of more than 500 West Virginia state employees was stolen from a contractor's parked vehicle.

In July 2007, The North County Times reported that credit card and checking account information for about 1,200 people who had enrolled in city recreation programs was posted in a public folder on the Encinitas, Calif., city Web site for three months.

In August 2007, the New York Daily News reported that a laptop containing the names, addresses, Social Security numbers and pension information of about 280,000 New York City retirees was stolen from a restaurant. The laptop had been in the possession of a contractor.

In the Indianapolis and Encinitas cases, as in New Hampshire, the compromised organizations didn't know about the breaches until quite some time after they occurred. According to the Verizon report, that's not uncommon in the public or private sectors.

Too Little, Too Late?

Verizon's figures reveal that it was months before 63 percent of breached organizations knew about them, weeks for 18 percent, days for 14 percent, hours for 3 percent and years for 2 percent.

"We're finding it's taking months for these entities -- whether it's government or the private sector -- to realize they've been breached. Not only that -- they're not the ones realizing it," said Eric Brohm, a senior security consultant for Verizon. "The realization is often coming from the third party in three out of four of those cases."

As Brohm said, 75 percent of breaches cited in the report were discovered by a third party, and 66 percent of them involved information the breached organizations didn't even know existed.

So how are organizations letting such an embarrassingly high number of breaches slip through the cracks? The problem may be a collective case of poor information management.

"The No. 1 thing they are not doing now that they should be doing is monitoring the IT security measures they already have in place," Brohm said. "A very simple example of that is: We do a lot of cases where people have great, verbose Web logs that are logging every bit of information on every single transaction that comes and goes from their site. The evidence of the breach is right in there, but no one's bothering to look at it."

He said in many of the risk team's cases, organizations haven't audited their systems. Consequently they haven't tracked what data they have, where it goes and what applications or devices store it.

Jay Foley, executive director of the Identity Theft Resource Center (ITRC), advises organizations to be sure their audits include reviews of policies and procedures for data handling and privacy. Documentation should explain how pieces of information are dealt with, from dissemination to destruction.

"There should be policies on what information we publish -- i.e., what stuff do we put on our Web site? What criteria does it meet? Secondarily [we should examine] how we handle the information as it goes across the desks of our organization's people, as it's stored after-hours, as it reaches its final destination in our organization, and where it's stored on a permanent basis until it's recommended for disposal. Last, but not least, how do we dispose of it?" Foley said.

And it wouldn't hurt for employees to be told why the information is so important to protect, he said.

"My favorite example of all time: You walk in and the clerk is asking you to fill out a form. You look at it and say, 'Why do you need my Social Security number?' and he says, 'Well, because it's on the form,'" Foley said. "If that's the only understanding your people have of what's on the form and why it's there, how can I walk away from your office thinking I'm safe and that you'll protect my information?"

The ITRC offers training and consulting on breach mitigation to organizations. Linda Foley, co-founder of the center with her husband Jay, said she asks a set of typical questions to clients whose employees carry data on mobile equipment.

"If the cause of the breach was the fact that someone had taken information home to work on and their laptop was stolen from the front seat of their car while they were in a gym: No. 1, why is the laptop not hidden? No. 2, why is it going home? No. 3, why is there personal identifying information, such as Social Security numbers, on that laptop?" she said.

She said governments should get creative in protecting Social Security numbers that are stored in the office or can be accessed on the move. As an example, she cited anonymous studies in which participants are identified by randomly generated numbers.

At the ITRC, even she doesn't have permission to see all types of information, and she's an executive there. "I don't have permission to see certain files, because I don't have a need to know. Checks and balances -- I don't need anyone's Social Security number for any purpose whatsoever; therefore, I should not ever see them."

Photo: Kevin Mitnick, founder, Mitnick Security Consulting

Kevin Mitnick, founder of Mitnick Security Consulting, said it all comes down to employee awareness and diligence. Sophisticated software may be what people think of when they want to secure against external breaches, but human error on the inside is a different kind of threat.

"Technology, I don't think, can prevent some employee from faxing off something that's inappropriate," Mitnick said. "Technology could be used to encrypt information, but training people is not a technology problem. It's a people problem."

Nightmare in the Breach

In 2007, the Lynchburg, Va., government found out firsthand why it's important to assess information-management procedures. The (Lynchburg) News & Advance reported in June 2007 that the personal information of more than 1,000 municipal employees and retirees -- including birth dates and Social Security numbers -- was included in an Excel spreadsheet attached to an RFP posted to the procurement section of the city's Web site.

The reason? Lynchburg wanted solicitations from third parties to provide pharmacy services, so it placed the RFP on its procurement page. One vendor asked the city for an extract of medical codes, which helped the vendor determine the city's usage of prescriptions. Lynchburg saw no problem providing this information but decided that if one vendor could see it, all of them should have access.

The information was put in a spreadsheet and attached to the online RFP. The problem was that the spreadsheet also had the names of employees and retirees who filled prescriptions during that year under the city's previous pharmacy coverage, along with other personal information.

According to Lynchburg Human Resources Director Margaret Schmitt, no city employees thoroughly examined the spreadsheet to omit the extraneous data, so when the affected employees and retirees Googled themselves, their personal information was included in the search results. Bad news for Lynchburg.

"When Google looked at our site, it also went into attachments. It's something we found out after the fact -- that Google, when

it crawls across your site, also crawls across attachments," Schmitt said. "That's where our problem came: that it was on Google. Not that it was actually posted on our site, but that Google picked it up."

The city discovered the problem after an employee's spouse Googled herself to find out what a potential employer could see about her on Google. She found her name, birth date and Social Security number on the search engine.

"I think the attachment was there less than 10 days, so once we found out about it we took the information off the Web site," Schmitt said. But the city had to contact Google to get the technology giant to remove the searchable information from its indexes, which didn't happen until weeks later.

Lynchburg no longer automatically adds attachments to RFPs and has since placed data-sharing and handling procedures under review, she said. The city had already been trying to improve IT security, but the breach made the issue more pressing.

"I think an incident like this caused us to have a little bit more urgency in getting things put together," she said. "It also is, unfortunately, one of the best examples of why people need to pay attention to things like security policies, because they talk about how you manage data in a global sense."

After the Exposure

Sure, data breaches can be horrific, but depending on the information that's compromised, they might not necessarily be earth shattering.

"In my opinion, exposing Social Security numbers is not the gravest breach in the world. Because all it takes is an Internet browser and a credit card to get anybody's Social Security number in a matter of seconds," Mitnick said.

"You don't have to be a private investigator. You don't have to be law enforcement," he said. "All you really have to know is where to look, where this information is being sold legally."

Mitnick wouldn't disclose specific information brokers or databases, but he may have been referring to sites like www.secret-info.com, which was mentioned in a 2005 Newsmax.com article, Social Security Numbers Are for Sale Online. The site offers Social Security number searches for $45 by credit card. A thorough Google search turns up similar brokers that have varying degrees of checks and balances to ensure that requestors are legit. Bestpeoplesearch.com offers Social Security number searches for free from "publicly available data systems" but says a requester must provide documents to substantiate the request and that the people whose numbers are searched will be notified.

It would help ensure the safety of Social Security numbers and other personal data if local governments prevented breaches. Citizens expect cities, counties and states to safeguard their privacy.

In Verizon's forensic work, Brohm said employees who caused accidental breaches are often terminated, depending on the severity of the mistakes.

"As we're progressing with an investigation, we may find that some individual may no longer be a point of contact because they were let go due to a breach," Brohm said. "It makes our job that much tougher because when you usually go onsite for these things, there's a lot of finger pointing. A lot of politics takes place in the background because people are afraid that they're going to be terminated at the end of it."

Schmitt said "appropriate disciplinary action" was taken against the employees in Lynchburg who were found responsible for the city's breach, but she would not say exactly what that action was.

"Companies just aren't enforcing policies enough to make that person second-guess whether or not to send that e-mail that may or may not contain information," Brohm said. "There's so much breaking of the policies that go on within organizations that it's not so much having the policies in place, but enforcing the policies."

Moving On

Even if governments take corrective action after the incident, accidents can't be undone and the information is still compromised no matter what happens behind the scenes.

While governments can't go back in time, they can work hard to regain citizens' trust. After its breach, the New Hampshire Department of Health and Human Services sent a letter to many affected citizens. Rollins said the letter advised them on what they could do to protect their credit rating. The department also set up a phone bank that operated for two weeks.

According to the Concord Monitor, the phones were manned from 8 a.m. to 4 p.m. and had voicemail for after-hours calls. "It was basically like a war room where we had a huge whiteboard," Rollins said. The room had information on hand so people would know what to say to callers with questions.

In Lynchburg, Schmitt contacted city manager Kimball Payne about its breach and they began citizen outreach and remediation immediately.

"We initially sent a letter to them that said, 'Hey, we messed up. Here's the scope of the problem,'" Schmitt said. The city also created a hotline for employees to call and had a public meeting. "The city manager and I stood up in front of 200 people and begged their forgiveness, essentially," she said.

Lynchburg also followed up with those who were affected and offered identity-protection services for a year.

The process was tense for Schmitt. "I've been in some really difficult situations. This is the first time that I've ever stood in front of a group of employees who I thought were going to throw something at me," she said. "It was a very difficult thing but at the same time, I think we earned a lot of respect for standing up, not making excuses and just admitting the fact that we made a mistake."